I clicked over here from the link from your comment on my blog to see if I could find out who you were. I’ve enjoyed skimming through several of your posts and was going to close out my browser until I saw this post…and figured I better leave a comment!

~natalie

The configuration I was referring to was connecting the internet to a gateway running Unix. This gate then passed all valid traffic to our internal router which routes it to the appropriate client. PPP is used to redirect the packet stream through a TCP wrapper. Passin, passout, bringup, and keepup are four variables in the SCO Unix box gateway I was referring to. The passout variable defines which outgoing packets can pass through the interface.(source) I apologize for not being more clear.

Squid is one way of content filtering.

Even if we were packet filtering for a specific string that string could get further fragmented if our MTU was small (or small in a router we came through). In this case the packet filter would have to assemble all the fragment and then filter based on content.

The extra hop an internal router to a network adds is fairly negligible.

Ad Muncher is another way you could filter URL with a GET or POST “?” in them.

If you use the GET method, then the only way to filter the stream is to search the packet payload with its GET method request for a question mark. If you use the POST method, the only way to filter the stream is to search the packet payload for the POST method request.

What you cannot do is filter on *anything* in the IP header or TCP header (nor, for that matter, the frame header). These will be indistinguishable between these requests. I am not aware that XP will allow you to fliter on packet payload.

It turns out that squid WILL allow you to filter the packet payload (but of course, squid is a web proxy server, not a firewall solution), but this is problematic. It is pretty much useless to do unless you also filter CONNECT. It is time consuming, because you must analyse the contents of the PDU, and it gains you very little in terms of actual security, although it will break lots of things on your site and make your web server unresponsive.

What do you mean by “define the passout variable with a custom rule set”?

I don’t know why *anyone* would choose to use SCO for a gateway, but let us suppose you are proposing that we have a UNIX like box placed in a DMZ as a firewall gateway.

Again, I don’t see why we care about whether PPP is used. Do you mean WAN side or LAN side? WAN side, I guess many links will be PPP - but that is the decision of the upstream network service provider. On the LAN side, it would be more sensible to use Ethernet or some other point to multipoint network bus. However, maybe you are suggesting an internal router with a PPP interface to the UNIX box. That makes sense in terms of division of the firewall and routing responsibilities (although, of course, your UNIX box remains a router, adding in an extra hop and associated latencies, as packets are being filtered).

But even if this *is* the scenario you propose, I have no idea what “define a passout variable” means. This is a packet filter, not a method call.

As far as the paradox goes. If you saw something happen in the future and did not do it then it never was the future to begin with and vice versa.

Also, suely you only have a temporal paradox if, having seen in the future that you DO post, you therefore decide NOT to post (or vice versa)

Another possibility is the paradox of a time portal that can see into the future. You can see that in the future you did not leave a post so therefore you do not leave a post when otherwise you would have posted. However, your not posting is in anticipation of not having such an occasion occur and is in fact the very reason such an occurance did not occur. Hence the paradox.